-
-
Notifications
You must be signed in to change notification settings - Fork 33.2k
Closed
Labels
3.10only security fixesonly security fixes3.11only security fixesonly security fixes3.12only security fixesonly security fixes3.13bugs and security fixesbugs and security fixes3.8 (EOL)end of lifeend of life3.9only security fixesonly security fixestype-securityA security issueA security issue
Description
"pth files are evil." (Barry Warsaw, #78125)
There is a special kind of evilness:
- pth files allow to execute arbitrary Python code.
- pth files are executed automatically, unlike to normal py files which need explicit import or passing as argument to Python interpreter.
- Some files are hidden by default (in shell and file managers). In particularly dot-files on Posix.
In sum, it increases the risk of executing malicious code. When you receive a handful of files, you, as a cautious person, check their contents before executing. If Python source files are hidden, it's okay, because you saw that nothing suspicious is imported in the files that you execute. But pth files can be executed even if you do not see them and there are no references in visible files.
This issue was first discussed in comments in #113357.
The severity of this issue is not very large, because it requires user interaction to activate. But it increases the risk. I think we should forbid processing hidden pth files.
Linked PRs
- gh-113659: Skip hidden .pth files #113660
- [3.12] gh-113659: Skip hidden .pth files (GH-113660) #114143
- [3.11] gh-113659: Skip hidden .pth files (GH-113660) #114144
- [3.10] gh-113659: Skip hidden .pth files (GH-113660) #114145
- [3.9] gh-113659: Skip hidden .pth files (GH-113660) #114146
- [3.8] gh-113659: Skip hidden .pth files (GH-113660) #114147
tusharsadhwani
Metadata
Metadata
Assignees
Labels
3.10only security fixesonly security fixes3.11only security fixesonly security fixes3.12only security fixesonly security fixes3.13bugs and security fixesbugs and security fixes3.8 (EOL)end of lifeend of life3.9only security fixesonly security fixestype-securityA security issueA security issue